Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2024.0218
2024-01 Security Bulletin: Session Smart Router: Multiple
vulnerabilities resolved.
11 January 2024
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Session Smart Router
Publisher: Juniper Networks
Operating System: Juniper
Resolution: Patch/Upgrade
CVE Names: CVE-2023-38802 CVE-2023-38408 CVE-2023-32360
CVE-2023-32067 CVE-2023-24329 CVE-2023-23920
CVE-2023-23918 CVE-2023-23454 CVE-2023-22809
CVE-2023-22081 CVE-2023-22049 CVE-2023-22045
CVE-2023-21968 CVE-2023-21967 CVE-2023-21954
CVE-2023-21939 CVE-2023-21938 CVE-2023-21937
CVE-2023-21930 CVE-2023-21843 CVE-2023-21830
CVE-2023-20593 CVE-2023-20569 CVE-2023-3817
CVE-2023-3446 CVE-2023-3341 CVE-2023-2828
CVE-2023-2650 CVE-2023-2235 CVE-2023-2194
CVE-2023-2124 CVE-2023-1829 CVE-2023-1582
CVE-2023-1281 CVE-2023-1195 CVE-2023-0767
CVE-2023-0461 CVE-2023-0394 CVE-2023-0386
CVE-2023-0286 CVE-2023-0266 CVE-2022-47929
CVE-2022-43945 CVE-2022-43750 CVE-2022-42896
CVE-2022-42722 CVE-2022-42721 CVE-2022-42720
CVE-2022-42703 CVE-2022-41974 CVE-2022-41973
CVE-2022-41674 CVE-2022-41222 CVE-2022-41218
CVE-2022-39189 CVE-2022-39188 CVE-2022-38023
CVE-2022-37434 CVE-2022-30594 CVE-2022-25265
CVE-2022-20141 CVE-2022-4378 CVE-2022-4269
CVE-2022-4254 CVE-2022-4139 CVE-2022-4129
CVE-2022-3707 CVE-2022-3628 CVE-2022-3625
CVE-2022-3623 CVE-2022-3619 CVE-2022-3567
CVE-2022-3566 CVE-2022-3564 CVE-2022-3524
CVE-2022-3239 CVE-2022-3028 CVE-2022-2964
CVE-2022-2873 CVE-2022-2795 CVE-2022-2663
CVE-2022-2196 CVE-2022-1789 CVE-2022-1679
CVE-2022-1462 CVE-2022-0934 CVE-2021-33656
CVE-2021-33655 CVE-2021-26341 CVE-2021-25220
CVE-2020-12321 CVE-2016-10009
Original Bulletin:
https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-Session-Smart-Router-Multiple-vulnerabilities-resolved
Comment: CVSS (Max): 9.8 CVE-2023-38408 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: Juniper
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H:H
- --------------------------BEGIN INCLUDED TEXT--------------------
Article ID: JSA75233
Product Affected: These issues affect all versions of Session Smart Router
prior to SSR-6.2.3-r2.
Severity Level: Critical
CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Problem:
Multiple vulnerabilities have been resolved in Juniper Networks Session Smart
Router by updating third-party components.
These issues affect all versions of Juniper Networks Session Smart Router prior
to SSR-6.2.3-r2.
These issues were discovered during external security research.
Important security issues resolved include:
+--------------+--------+-----------------------------------------------------+
| CVE | CVSS | Summary |
+--------------+--------+-----------------------------------------------------+
| |7.5 ( | |
| |CVSS:3.1| |
| |/AV:N/ |A single-byte, non-arbitrary write/use-after-free |
|CVE-2022-0934 |AC:L/ |flaw was found in dnsmasq. This flaw allows an |
| |PR:N/ |attacker who sends a crafted packet processed by |
| |UI:N/S:U|dnsmasq, potentially causing a denial of service. |
| |/C:N/I:N| |
| |/A:H ) | |
+--------------+--------+-----------------------------------------------------+
| | |Vulnerability in the Oracle Java SE, Oracle GraalVM |
| | |for JDK, Oracle GraalVM Enterprise Edition product of|
| | |Oracle Java SE (component: JSSE). Supported versions |
| | |that are affected are Oracle Java SE: 8u381, |
| | |8u381-perf, 11.0.20, 17.0.8, 21; Oracle GraalVM for |
| | |JDK: 17.0.8, 21; Oracle GraalVM Enterprise Edition: |
| | |20.3.11, 21.3.7 and 22.3.3. Easily exploitable |
| | |vulnerability allows unauthenticated attacker with |
| |5.3 ( |network access via HTTPS to compromise Oracle Java |
| |CVSS:3.1|SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise|
| |/AV:N/ |Edition. Successful attacks of this vulnerability can|
| |AC:L/ |result in unauthorized ability to cause a partial |
|CVE-2023-22081|PR:N/ |denial of service (partial DOS) of Oracle Java SE, |
| |UI:N/S:U|Oracle GraalVM for JDK, Oracle GraalVM Enterprise |
| |/C:N/I:N|Edition. Note: This vulnerability applies to Java |
| |/A:L ) |deployments, typically in clients running sandboxed |
| | |Java Web Start applications or sandboxed Java |
| | |applets, that load and run untrusted code (e.g., code|
| | |that comes from the internet) and rely on the Java |
| | |sandbox for security. This vulnerability does not |
| | |apply to Java deployments, typically in servers, that|
| | |load and run only trusted code (e.g., code installed |
| | |by an administrator). CVSS 3.1 Base Score 5.3 |
| | |(Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/ |
| | |AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). |
+--------------+--------+-----------------------------------------------------+
| | |The code that processes control channel messages sent|
| | |to `named` calls certain functions recursively during|
| | |packet parsing. Recursion depth is only limited by |
| |7.5 ( |the maximum accepted packet size; depending on the |
| |CVSS:3.1|environment, this may cause the packet-parsing code |
| |/AV:N/ |to run out of available stack memory, causing `named`|
| |AC:L/ |to terminate unexpectedly. Since each incoming |
|CVE-2023-3341 |PR:N/ |control channel message is fully parsed before its |
| |UI:N/S:U|contents are authenticated, exploiting this flaw does|
| |/C:N/I:N|not require the attacker to hold a valid RNDC key; |
| |/A:H ) |only network access to the control channel's |
| | |configured TCP port is necessary. This issue affects |
| | |BIND 9 versions 9.2.0 through 9.16.43, 9.18.0 through|
| | |9.18.18, 9.19.0 through 9.19.16, 9.9.3-S1 through |
| | |9.16.43-S1, and 9.18.0-S1 through 9.18.18-S1. |
+--------------+--------+-----------------------------------------------------+
| | |Issue summary: Processing some specially crafted |
| | |ASN.1 object identifiers or data containing them may |
| | |be very slow. Impact summary: Applications that use |
| | |OBJ_obj2txt() directly, or use any of the OpenSSL |
| | |subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS |
| | |with no message size limit may experience notable to |
| | |very long delays when processing those messages, |
| | |which may lead to a Denial of Service. An OBJECT |
| | |IDENTIFIER is composed of a series of numbers - |
| | |sub-identifiers - most of which have no size limit. |
| | |OBJ_obj2txt() may be used to translate an ASN.1 |
| | |OBJECT IDENTIFIER given in DER encoding form (using |
| | |the OpenSSL type ASN1_OBJECT) to its canonical |
| | |numeric text form, which are the sub-identifiers of |
| | |the OBJECT IDENTIFIER in decimal form, separated by |
| | |periods. When one of the sub-identifiers in the |
| | |OBJECT IDENTIFIER is very large (these are sizes that|
| | |are seen as absurdly large, taking up tens or |
| | |hundreds of KiBs), the translation to a decimal |
| | |number in text may take a very long time. The time |
| | |complexity is O(n^2) with 'n' being the size of the |
| |6.5 ( |sub-identifiers in bytes (*). With OpenSSL 3.0, |
| |CVSS:3.1|support to fetch cryptographic algorithms using names|
| |/AV:N/ |/ identifiers in string form was introduced. This |
| |AC:L/ |includes using OBJECT IDENTIFIERs in canonical |
|CVE-2023-2650 |PR:N/ |numeric text form as identifiers for fetching |
| |UI:R/S:U|algorithms. Such OBJECT IDENTIFIERs may be received |
| |/C:N/I:N|through the ASN.1 structure AlgorithmIdentifier, |
| |/A:H ) |which is commonly used in multiple protocols to |
| | |specify what cryptographic algorithm should be used |
| | |to sign or verify, encrypt or decrypt, or digest |
| | |passed data. Applications that call OBJ_obj2txt() |
| | |directly with untrusted data are affected, with any |
| | |version of OpenSSL. If the use is for the mere |
| | |purpose of display, the severity is considered low. |
| | |In OpenSSL 3.0 and newer, this affects the subsystems|
| | |OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS. It also |
| | |impacts anything that processes X.509 certificates, |
| | |including simple things like verifying its signature.|
| | |The impact on TLS is relatively low, because all |
| | |versions of OpenSSL have a 100KiB limit on the peer's|
| | |certificate chain. Additionally, this only impacts |
| | |clients, or servers that have explicitly enabled |
| | |client authentication. In OpenSSL 1.1.1 and 1.0.2, |
| | |this only affects displaying diverse objects, such as|
| | |X.509 certificates. This is assumed to not happen in |
| | |such a way that it would cause a Denial of Service, |
| | |so these versions are considered not affected by this|
| | |issue in such a way that it would be cause for |
| | |concern, and the severity is therefore considered |
| | |low. |
+--------------+--------+-----------------------------------------------------+
| | |Issue summary: Checking excessively long DH keys or |
| | |parameters may be very slow. Impact summary: |
| | |Applications that use the functions DH_check(), |
| | |DH_check_ex() or EVP_PKEY_param_check() to check a DH|
| | |key or DH parameters may experience long delays. |
| | |Where the key or parameters that are being checked |
| | |have been obtained from an untrusted source this may |
| | |lead to a Denial of Service. The function DH_check() |
| | |performs various checks on DH parameters. One of |
| | |those checks confirms that the modulus ('p' |
| | |parameter) is not too large. Trying to use a very |
| |5.3 ( |large modulus is slow and OpenSSL will not normally |
| |CVSS:3.1|use a modulus which is over 10,000 bits in length. |
| |/AV:N/ |However the DH_check() function checks numerous |
|CVE-2023-3446 |AC:L/ |aspects of the key or parameters that have been |
| |PR:N/ |supplied. Some of those checks use the supplied |
| |UI:N/S:U|modulus value even if it has already been found to be|
| |/C:N/I:N|too large. An application that calls DH_check() and |
| |/A:L ) |supplies a key or parameters obtained from an |
| | |untrusted source could be vulernable to a Denial of |
| | |Service attack. The function DH_check() is itself |
| | |called by a number of other OpenSSL functions. An |
| | |application calling any of those other functions may |
| | |similarly be affected. The other functions affected |
| | |by this are DH_check_ex() and EVP_PKEY_param_check().|
| | |Also vulnerable are the OpenSSL dhparam and pkeyparam|
| | |command line applications when using the '-check' |
| | |option. The OpenSSL SSL/TLS implementation is not |
| | |affected by this issue. The OpenSSL 3.0 and 3.1 FIPS |
| | |providers are not affected by this issue. |
+--------------+--------+-----------------------------------------------------+
| | |Issue summary: Checking excessively long DH keys or |
| | |parameters may be very slow. Impact summary: |
| | |Applications that use the functions DH_check(), |
| | |DH_check_ex() or EVP_PKEY_param_check() to check a DH|
| | |key or DH parameters may experience long delays. |
| | |Where the key or parameters that are being checked |
| | |have been obtained from an untrusted source this may |
| | |lead to a Denial of Service. The function DH_check() |
| | |performs various checks on DH parameters. After |
| | |fixing CVE-2023-3446 it was discovered that a large q|
| |5.3 ( |parameter value can also trigger an overly long |
| |CVSS:3.1|computation during some of these checks. A correct q |
| |/AV:N/ |value, if present, cannot be larger than the modulus |
|CVE-2023-3817 |AC:L/ |p parameter, thus it is unnecessary to perform these |
| |PR:N/ |checks if q is larger than p. An application that |
| |UI:N/S:U|calls DH_check() and supplies a key or parameters |
| |/C:N/I:N|obtained from an untrusted source could be vulnerable|
| |/A:L ) |to a Denial of Service attack. The function DH_check |
| | |() is itself called by a number of other OpenSSL |
| | |functions. An application calling any of those other |
| | |functions may similarly be affected. The other |
| | |functions affected by this are DH_check_ex() and |
| | |EVP_PKEY_param_check(). Also vulnerable are the |
| | |OpenSSL dhparam and pkeyparam command line |
| | |applications when using the "-check" option. The |
| | |OpenSSL SSL/TLS implementation is not affected by |
| | |this issue. The OpenSSL 3.0 and 3.1 FIPS providers |
| | |are not affected by this issue. |
+--------------+--------+-----------------------------------------------------+
| |8.8 ( | |
| |CVSS:3.1| |
| |/AV:A/ |Improper buffer restriction in some Intel(R) Wireless|
|CVE-2020-12321|AC:L/ |Bluetooth(R) products before version 21.110 may allow|
| |PR:N/ |an unauthenticated user to potentially enable |
| |UI:N/S:U|escalation of privilege via adjacent access. |
| |/C:H/I:H| |
| |/A:H ) | |
+--------------+--------+-----------------------------------------------------+
| | |Vulnerability in the Oracle Java SE, Oracle GraalVM |
| | |Enterprise Edition, Oracle GraalVM for JDK product of|
| | |Oracle Java SE (component: Hotspot). Supported |
| | |versions that are affected are Oracle Java SE: 8u371,|
| | |8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM |
| | |Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle |
| | |GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to |
| | |exploit vulnerability allows unauthenticated attacker|
| |3.7 ( |with network access via multiple protocols to |
| |CVSS:3.1|compromise Oracle Java SE, Oracle GraalVM Enterprise |
| |/AV:N/ |Edition, Oracle GraalVM for JDK. Successful attacks |
| |AC:H/ |of this vulnerability can result in unauthorized read|
|CVE-2023-22045|PR:N/ |access to a subset of Oracle Java SE, Oracle GraalVM |
| |UI:N/S:U|Enterprise Edition, Oracle GraalVM for JDK accessible|
| |/C:L/I:N|data. Note: This vulnerability can be exploited by |
| |/A:N ) |using APIs in the specified Component, e.g., through |
| | |a web service which supplies data to the APIs. This |
| | |vulnerability also applies to Java deployments, |
| | |typically in clients running sandboxed Java Web Start|
| | |applications or sandboxed Java applets, that load and|
| | |run untrusted code (e.g., code that comes from the |
| | |internet) and rely on the Java sandbox for security. |
| | |CVSS 3.1 Base Score 3.7 (Confidentiality impacts). |
| | |CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/ |
| | |I:N/A:N). |
+--------------+--------+-----------------------------------------------------+
| | |Vulnerability in the Oracle Java SE, Oracle GraalVM |
| | |Enterprise Edition, Oracle GraalVM for JDK product of|
| | |Oracle Java SE (component: Libraries). Supported |
| | |versions that are affected are Oracle Java SE: 8u371,|
| | |8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM |
| | |Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle |
| | |GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to |
| | |exploit vulnerability allows unauthenticated attacker|
| | |with network access via multiple protocols to |
| |3.7 ( |compromise Oracle Java SE, Oracle GraalVM Enterprise |
| |CVSS:3.1|Edition, Oracle GraalVM for JDK. Successful attacks |
| |/AV:N/ |of this vulnerability can result in unauthorized |
|CVE-2023-22049|AC:H/ |update, insert or delete access to some of Oracle |
| |PR:N/ |Java SE, Oracle GraalVM Enterprise Edition, Oracle |
| |UI:N/S:U|GraalVM for JDK accessible data. Note: This |
| |/C:N/I:L|vulnerability can be exploited by using APIs in the |
| |/A:N ) |specified Component, e.g., through a web service |
| | |which supplies data to the APIs. This vulnerability |
| | |also applies to Java deployments, typically in |
| | |clients running sandboxed Java Web Start applications|
| | |or sandboxed Java applets, that load and run |
| | |untrusted code (e.g., code that comes from the |
| | |internet) and rely on the Java sandbox for security. |
| | |CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS |
| | |Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/ |
| | |A:N). |
+--------------+--------+-----------------------------------------------------+
| |5.5 ( | |
| |CVSS:3.1|An authentication issue was addressed with improved |
| |/AV:L/ |state management. This issue is fixed in macOS Big |
|CVE-2023-32360|AC:L/ |Sur 11.7.7, macOS Monterey 12.6.6, macOS Ventura |
| |PR:L/ |13.4. An unauthenticated user may be able to access |
| |UI:N/S:U|recently printed documents. |
| |/C:H/I:N| |
| |/A:N ) | |
+--------------+--------+-----------------------------------------------------+
| | |multipath-tools 0.7.0 through 0.9.x before 0.9.2 |
| |7.8 ( |allows local users to obtain root access, as |
| |CVSS:3.1|exploited alone or in conjunction with |
| |/AV:L/ |CVE-2022-41973. Local users able to write to UNIX |
|CVE-2022-41974|AC:L/ |domain sockets can bypass access controls and |
| |PR:L/ |manipulate the multipath setup. This can lead to |
| |UI:N/S:U|local privilege escalation to root. This occurs |
| |/C:H/I:H|because an attacker can repeat a keyword, which is |
| |/A:H ) |mishandled because arithmetic ADD is used instead of |
| | |bitwise OR. |
+--------------+--------+-----------------------------------------------------+
| |7.5 ( | |
| |CVSS:3.1| |
| |/AV:N/ |FRRouting FRR 7.5.1 through 9.0 and Pica8 PICOS |
|CVE-2023-38802|AC:L/ |4.3.3.2 allow a remote attacker to cause a denial of |
| |PR:N/ |service via a crafted BGP update with a corrupted |
| |UI:N/S:U|attribute 23 (Tunnel Encapsulation). |
| |/C:N/I:N| |
| |/A:H ) | |
+--------------+--------+-----------------------------------------------------+
| |4.7 ( | |
| |CVSS:3.1|A side channel vulnerability on some of the AMD CPUs |
| |/AV:L/ |may allow an attacker to influence the return address|
|CVE-2023-20569|AC:H/ |prediction. This may result in speculative execution |
| |PR:L/ |at an attacker-controlled?address, potentially |
| |UI:N/S:U|leading to information disclosure. |
| |/C:H/I:N| |
| |/A:N ) | |
+--------------+--------+-----------------------------------------------------+
| |5.5 ( | |
| |CVSS:3.1| |
| |/AV:L/ |An issue in "Zen 2" CPUs, under specific |
|CVE-2023-20593|AC:L/ |microarchitectural circumstances, may allow an |
| |PR:L/ |attacker to potentially access sensitive information.|
| |UI:N/S:U| |
| |/C:H/I:N| |
| |/A:N ) | |
+--------------+--------+-----------------------------------------------------+
| | |There are use-after-free vulnerabilities in the Linux|
| |8.8 ( |kernel's net/bluetooth/l2cap_core.c's l2cap_connect |
| |CVSS:3.1|and l2cap_le_connect_req functions which may allow |
| |/AV:A/ |code execution and leaking kernel memory |
| |AC:L/ |(respectively) remotely via Bluetooth. A remote |
|CVE-2022-42896|PR:N/ |attacker could execute code leaking kernel memory via|
| |UI:N/S:U|Bluetooth if within proximity of the victim. We |
| |/C:H/I:H|recommend upgrading past commit https:// |
| |/A:H ) |www.google.com/url https://github.com/torvalds/linux/|
| | |commit/711f8c3fb3db61897080468586b970c87c61d9e4 |
| | |https://www.google.com/url |
+--------------+--------+-----------------------------------------------------+
| |7.8 ( |Use After Free vulnerability in Linux kernel traffic |
| |CVSS:3.1|control index filter (tcindex) allows Privilege |
| |/AV:L/ |Escalation. The imperfect hash area can be updated |
| |AC:L/ |while packets are traversing, which will cause a |
|CVE-2023-1281 |PR:L/ |use-after-free when 'tcf_exts_exec()' is called with |
| |UI:N/S:U|the destroyed tcf_ext. A local attacker user can use |
| |/C:H/I:H|this vulnerability to elevate its privileges to root.|
| |/A:H ) |This issue affects Linux Kernel: from 4.14 before git|
| | |commit ee059170b1f7e94e55fa6cadee544e176a6e59c2. |
+--------------+--------+-----------------------------------------------------+
| | |A use-after-free vulnerability in the Linux Kernel |
| |7.8 ( |traffic control index filter (tcindex) can be |
| |CVSS:3.1|exploited to achieve local privilege escalation. The |
| |/AV:L/ |tcindex_delete function which does not properly |
|CVE-2023-1829 |AC:L/ |deactivate filters in case of a perfect hashes while |
| |PR:L/ |deleting the underlying structure which can later |
| |UI:N/S:U|lead to double freeing the structure. A local |
| |/C:H/I:H|attacker user can use this vulnerability to elevate |
| |/A:H ) |its privileges to root. We recommend upgrading past |
| | |commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28. |
+--------------+--------+-----------------------------------------------------+
| |7.8 ( | |
| |CVSS:3.1|An out-of-bounds memory access flaw was found in the |
| |/AV:L/ |Linux kernel's XFS file system in how a user restores|
|CVE-2023-2124 |AC:L/ |an XFS image after failure (with a dirty log |
| |PR:L/ |journal). This flaw allows a local user to crash or |
| |UI:N/S:U|potentially escalate their privileges on the system. |
| |/C:H/I:H| |
| |/A:H ) | |
+--------------+--------+-----------------------------------------------------+
| |6.7 ( |An out-of-bounds write vulnerability was found in the|
| |CVSS:3.1|Linux kernel's SLIMpro I2C device driver. The |
| |/AV:L/ |userspace "data->block[0]" variable was not capped to|
|CVE-2023-2194 |AC:L/ |a number between 0-255 and was used as the size of a |
| |PR:H/ |memcpy, possibly writing beyond the end of |
| |UI:N/S:U|dma_buffer. This flaw could allow a local privileged |
| |/C:H/I:H|user to crash the system or potentially achieve code |
| |/A:H ) |execution. |
+--------------+--------+-----------------------------------------------------+
| | |A use-after-free vulnerability in the Linux Kernel |
| |7.8 ( |Performance Events system can be exploited to achieve|
| |CVSS:3.1|local privilege escalation. The perf_group_detach |
| |/AV:L/ |function did not check the event's siblings' |
| |AC:L/ |attach_state before calling add_event_to_groups(), |
|CVE-2023-2235 |PR:L/ |but remove_on_exec made it possible to call |
| |UI:N/S:U|list_del_event() on before detaching from their |
| |/C:H/I:H|group, making it possible to use a dangling pointer |
| |/A:H ) |causing a use-after-free vulnerability. We recommend |
| | |upgrading past commit |
| | |fd0815f632c24878e325821943edccc7fde947a2. |
+--------------+--------+-----------------------------------------------------+
| |9.8 ( |The PKCS#11 feature in ssh-agent in OpenSSH before |
| |CVSS:3.1|9.3p2 has an insufficiently trustworthy search path, |
| |/AV:N/ |leading to remote code execution if an agent is |
|CVE-2023-38408|AC:L/ |forwarded to an attacker-controlled system. (Code in |
| |PR:N/ |/usr/lib is not necessarily safe for loading into |
| |UI:N/S:U|ssh-agent.) NOTE: this issue exists because of an |
| |/C:H/I:H|incomplete fix for CVE-2016-10009. |
| |/A:H ) | |
+--------------+--------+-----------------------------------------------------+
| | |Every `named` instance configured to run as a |
| | |recursive resolver maintains a cache database holding|
| | |the responses to the queries it has recently sent to |
| | |authoritative servers. The size limit for that cache |
| | |database can be configured using the `max-cache-size`|
| | |statement in the configuration file; it defaults to |
| |7.5 ( |90% of the total amount of memory available on the |
| |CVSS:3.1|host. When the size of the cache reaches 7/8 of the |
| |/AV:N/ |configured limit, a cache-cleaning algorithm starts |
| |AC:L/ |to remove expired and/or least-recently used RRsets |
|CVE-2023-2828 |PR:N/ |from the cache, to keep memory use below the |
| |UI:N/S:U|configured limit. It has been discovered that the |
| |/C:N/I:N|effectiveness of the cache-cleaning algorithm used in|
| |/A:H ) |`named` can be severely diminished by querying the |
| | |resolver for specific RRsets in a certain order, |
| | |effectively allowing the configured `max-cache-size` |
| | |limit to be significantly exceeded. This issue |
| | |affects BIND 9 versions 9.11.0 through 9.16.41, |
| | |9.18.0 through 9.18.15, 9.19.0 through 9.19.13, |
| | |9.11.3-S1 through 9.16.41-S1, and 9.18.11-S1 through |
| | |9.18.15-S1. |
+--------------+--------+-----------------------------------------------------+
| | |Vulnerability in the Oracle Java SE, Oracle GraalVM |
| | |Enterprise Edition product of Oracle Java SE |
| | |(component: JSSE). Supported versions that are |
| | |affected are Oracle Java SE: 8u361, 8u361-perf, |
| | |11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise |
| | |Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to |
| | |exploit vulnerability allows unauthenticated attacker|
| | |with network access via TLS to compromise Oracle Java|
| | |SE, Oracle GraalVM Enterprise Edition. Successful |
| |7.4 ( |attacks of this vulnerability can result in |
| |CVSS:3.1|unauthorized creation, deletion or modification |
| |/AV:N/ |access to critical data or all Oracle Java SE, Oracle|
| |AC:H/ |GraalVM Enterprise Edition accessible data as well as|
|CVE-2023-21930|PR:N/ |unauthorized access to critical data or complete |
| |UI:N/S:U|access to all Oracle Java SE, Oracle GraalVM |
| |/C:H/I:H|Enterprise Edition accessible data. Note: This |
| |/A:N ) |vulnerability applies to Java deployments, typically |
| | |in clients running sandboxed Java Web Start |
| | |applications or sandboxed Java applets, that load and|
| | |run untrusted code (e.g., code that comes from the |
| | |internet) and rely on the Java sandbox for security. |
| | |This vulnerability can also be exploited by using |
| | |APIs in the specified Component, e.g., through a web |
| | |service which supplies data to the APIs. CVSS 3.1 |
| | |Base Score 7.4 (Confidentiality and Integrity |
| | |impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/|
| | |S:U/C:H/I:H/A:N). |
+--------------+--------+-----------------------------------------------------+
| | |Vulnerability in the Oracle Java SE, Oracle GraalVM |
| | |Enterprise Edition product of Oracle Java SE |
| | |(component: Networking). Supported versions that are |
| | |affected are Oracle Java SE: 8u361, 8u361-perf, |
| | |11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise |
| | |Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to |
| | |exploit vulnerability allows unauthenticated attacker|
| |3.7 ( |with network access via multiple protocols to |
| |CVSS:3.1|compromise Oracle Java SE, Oracle GraalVM Enterprise |
| |/AV:N/ |Edition. Successful attacks of this vulnerability can|
| |AC:H/ |result in unauthorized update, insert or delete |
|CVE-2023-21937|PR:N/ |access to some of Oracle Java SE, Oracle GraalVM |
| |UI:N/S:U|Enterprise Edition accessible data. Note: This |
| |/C:N/I:L|vulnerability applies to Java deployments, typically |
| |/A:N ) |in clients running sandboxed Java Web Start |
| | |applications or sandboxed Java applets, that load and|
| | |run untrusted code (e.g., code that comes from the |
| | |internet) and rely on the Java sandbox for security. |
| | |This vulnerability can also be exploited by using |
| | |APIs in the specified Component, e.g., through a web |
| | |service which supplies data to the APIs. CVSS 3.1 |
| | |Base Score 3.7 (Integrity impacts). CVSS Vector: |
| | |(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). |
+--------------+--------+-----------------------------------------------------+
| | |Vulnerability in the Oracle Java SE, Oracle GraalVM |
| | |Enterprise Edition product of Oracle Java SE |
| | |(component: Libraries). Supported versions that are |
| | |affected are Oracle Java SE: 8u361, 8u361-perf, |
| | |11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise |
| | |Edition: 20.3.8, 21.3.4 and 22.3.0. Difficult to |
| | |exploit vulnerability allows unauthenticated attacker|
| | |with network access via multiple protocols to |
| |3.7 ( |compromise Oracle Java SE, Oracle GraalVM Enterprise |
| |CVSS:3.1|Edition. Successful attacks of this vulnerability can|
| |/AV:N/ |result in unauthorized update, insert or delete |
|CVE-2023-21938|AC:H/ |access to some of Oracle Java SE, Oracle GraalVM |
| |PR:N/ |Enterprise Edition accessible data. Note: This |
| |UI:N/S:U|vulnerability applies to Java deployments, typically |
| |/C:N/I:L|in clients running sandboxed Java Web Start |
| |/A:N ) |applications or sandboxed Java applets, that load and|
| | |run untrusted code (e.g., code that comes from the |
| | |internet) and rely on the Java sandbox for security. |
| | |This vulnerability does not apply to Java |
| | |deployments, typically in servers, that load and run |
| | |only trusted code (e.g., code installed by an |
| | |administrator). CVSS 3.1 Base Score 3.7 (Integrity |
| | |impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/|
| | |S:U/C:N/I:L/A:N). |
+--------------+--------+-----------------------------------------------------+
| | |Vulnerability in the Oracle Java SE, Oracle GraalVM |
| | |Enterprise Edition product of Oracle Java SE |
| | |(component: Swing). Supported versions that are |
| | |affected are Oracle Java SE: 8u361, 8u361-perf, |
| | |11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise |
| | |Edition: 20.3.9, 21.3.5 and 22.3.1. Easily |
| | |exploitable vulnerability allows unauthenticated |
| |5.3 ( |attacker with network access via HTTP to compromise |
| |CVSS:3.1|Oracle Java SE, Oracle GraalVM Enterprise Edition. |
| |/AV:N/ |Successful attacks of this vulnerability can result |
| |AC:L/ |in unauthorized update, insert or delete access to |
|CVE-2023-21939|PR:N/ |some of Oracle Java SE, Oracle GraalVM Enterprise |
| |UI:N/S:U|Edition accessible data. Note: This vulnerability |
| |/C:N/I:L|applies to Java deployments, typically in clients |
| |/A:N ) |running sandboxed Java Web Start applications or |
| | |sandboxed Java applets, that load and run untrusted |
| | |code (e.g., code that comes from the internet) and |
| | |rely on the Java sandbox for security. This |
| | |vulnerability can also be exploited by using APIs in |
| | |the specified Component, e.g., through a web service |
| | |which supplies data to the APIs. CVSS 3.1 Base Score |
| | |5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/|
| | |AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). |
+--------------+--------+-----------------------------------------------------+
| | |Vulnerability in the Oracle Java SE, Oracle GraalVM |
| | |Enterprise Edition product of Oracle Java SE |
| | |(component: Hotspot). Supported versions that are |
| | |affected are Oracle Java SE: 8u361, 8u361-perf, |
| | |11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: |
| | |20.3.9, 21.3.5 and 22.3.1. Difficult to exploit |
| | |vulnerability allows unauthenticated attacker with |
| | |network access via multiple protocols to compromise |
| |5.9 ( |Oracle Java SE, Oracle GraalVM Enterprise Edition. |
| |CVSS:3.1|Successful attacks of this vulnerability can result |
| |/AV:N/ |in unauthorized access to critical data or complete |
|CVE-2023-21954|AC:H/ |access to all Oracle Java SE, Oracle GraalVM |
| |PR:N/ |Enterprise Edition accessible data. Note: This |
| |UI:N/S:U|vulnerability applies to Java deployments, typically |
| |/C:H/I:N|in clients running sandboxed Java Web Start |
| |/A:N ) |applications or sandboxed Java applets, that load and|
| | |run untrusted code (e.g., code that comes from the |
| | |internet) and rely on the Java sandbox for security. |
| | |This vulnerability can also be exploited by using |
| | |APIs in the specified Component, e.g., through a web |
| | |service which supplies data to the APIs. CVSS 3.1 |
| | |Base Score 5.9 (Confidentiality impacts). CVSS |
| | |Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/ |
| | |A:N). |
+--------------+--------+-----------------------------------------------------+
| | |Vulnerability in the Oracle Java SE, Oracle GraalVM |
| | |Enterprise Edition product of Oracle Java SE |
| | |(component: JSSE). Supported versions that are |
| | |affected are Oracle Java SE: 8u361, 8u361-perf, |
| | |11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise |
| | |Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to |
| | |exploit vulnerability allows unauthenticated attacker|
| |5.9 ( |with network access via HTTPS to compromise Oracle |
| |CVSS:3.1|Java SE, Oracle GraalVM Enterprise Edition. |
| |/AV:N/ |Successful attacks of this vulnerability can result |
| |AC:H/ |in unauthorized ability to cause a hang or frequently|
|CVE-2023-21967|PR:N/ |repeatable crash (complete DOS) of Oracle Java SE, |
| |UI:N/S:U|Oracle GraalVM Enterprise Edition. Note: This |
| |/C:N/I:N|vulnerability applies to Java deployments, typically |
| |/A:H ) |in clients running sandboxed Java Web Start |
| | |applications or sandboxed Java applets, that load and|
| | |run untrusted code (e.g., code that comes from the |
| | |internet) and rely on the Java sandbox for security. |
| | |This vulnerability can also be exploited by using |
| | |APIs in the specified Component, e.g., through a web |
| | |service which supplies data to the APIs. CVSS 3.1 |
| | |Base Score 5.9 (Availability impacts). CVSS Vector: |
| | |(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H). |
+--------------+--------+-----------------------------------------------------+
| | |Vulnerability in the Oracle Java SE, Oracle GraalVM |
| | |Enterprise Edition product of Oracle Java SE |
| | |(component: Libraries). Supported versions that are |
| | |affected are Oracle Java SE: 8u361, 8u361-perf, |
| | |11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise |
| | |Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to |
| | |exploit vulnerability allows unauthenticated attacker|
| |3.7 ( |with network access via multiple protocols to |
| |CVSS:3.1|compromise Oracle Java SE, Oracle GraalVM Enterprise |
| |/AV:N/ |Edition. Successful attacks of this vulnerability can|
| |AC:H/ |result in unauthorized update, insert or delete |
|CVE-2023-21968|PR:N/ |access to some of Oracle Java SE, Oracle GraalVM |
| |UI:N/S:U|Enterprise Edition accessible data. Note: This |
| |/C:N/I:L|vulnerability applies to Java deployments, typically |
| |/A:N ) |in clients running sandboxed Java Web Start |
| | |applications or sandboxed Java applets, that load and|
| | |run untrusted code (e.g., code that comes from the |
| | |internet) and rely on the Java sandbox for security. |
| | |This vulnerability can also be exploited by using |
| | |APIs in the specified Component, e.g., through a web |
| | |service which supplies data to the APIs. CVSS 3.1 |
| | |Base Score 3.7 (Integrity impacts). CVSS Vector: |
| | |(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). |
+--------------+--------+-----------------------------------------------------+
| |7.5 ( | |
| |CVSS:3.1| |
| |/AV:N/ |An issue in the urllib.parse component of Python |
|CVE-2023-24329|AC:L/ |before 3.11.4 allows attackers to bypass blocklisting|
| |PR:N/ |methods by supplying a URL that starts with blank |
| |UI:N/S:U|characters. |
| |/C:N/I:H| |
| |/A:N ) | |
+--------------+--------+-----------------------------------------------------+
| |7.5 ( |c-ares is an asynchronous resolver library. c-ares is|
| |CVSS:3.1|vulnerable to denial of service. If a target resolver|
| |/AV:N/ |sends a query, the attacker forges a malformed UDP |
|CVE-2023-32067|AC:L/ |packet with a length of 0 and returns them to the |
| |PR:N/ |target resolver. The target resolver erroneously |
| |UI:N/S:U|interprets the 0 length as a graceful shutdown of the|
| |/C:N/I:N|connection. This issue has been patched in version |
| |/A:H ) |1.19.1. |
+--------------+--------+-----------------------------------------------------+
| |6.5 ( | |
| |CVSS:3.1| |
| |/AV:L/ |Some AMD CPUs may transiently execute beyond |
|CVE-2021-26341|AC:L/ |unconditional direct branches, which may potentially |
| |PR:L/ |result in data leakage. |
| |UI:N/S:C| |
| |/C:H/I:N| |
| |/A:N ) | |
+--------------+--------+-----------------------------------------------------+
| |6.7 ( | |
| |CVSS:3.1| |
| |/AV:L/ |When sending malicous data to kernel by ioctl cmd |
|CVE-2021-33655|AC:L/ |FBIOPUT_VSCREENINFO,kernel will write memory out of |
| |PR:H/ |bounds. |
| |UI:N/S:U| |
| |/C:H/I:H| |
| |/A:H ) | |
+--------------+--------+-----------------------------------------------------+
| |6.8 ( | |
| |CVSS:3.1| |
| |/AV:P/ | |
|CVE-2021-33656|AC:L/ |When setting font with malicous data by ioctl cmd |
| |PR:N/ |PIO_FONT,kernel will write memory out of bounds. |
| |UI:N/S:U| |
| |/C:H/I:H| |
| |/A:H ) | |
+--------------+--------+-----------------------------------------------------+
| |6.3 ( |An out-of-bounds read flaw was found in the Linux |
| |CVSS:3.1|kernel's TeleTYpe subsystem. The issue occurs in how |
| |/AV:L/ |a user triggers a race condition using ioctls |
|CVE-2022-1462 |AC:H/ |TIOCSPTLCK and TIOCGPTPEER and TIOCSTI and TCXONC |
| |PR:L/ |with leakage of memory in the flush_to_ldisc |
| |UI:N/S:U|function. This flaw allows a local user to crash the |
| |/C:H/I:N|system or read unauthorized random data from memory. |
| |/A:H ) | |
+--------------+--------+-----------------------------------------------------+
| |7.8 ( | |
| |CVSS:3.1|A use-after-free flaw was found in the Linux kernel's|
| |/AV:L/ |Atheros wireless adapter driver in the way a user |
|CVE-2022-1679 |AC:L/ |forces the ath9k_htc_wait_for_target function to fail|
| |PR:L/ |with some input messages. This flaw allows a local |
| |UI:N/S:U|user to crash or potentially escalate their |
| |/C:H/I:H|privileges on the system. |
| |/A:H ) | |
+--------------+--------+-----------------------------------------------------+
| |6.8 ( | |
| |CVSS:3.1| |
| |/AV:P/ |With shadow paging enabled, the INVPCID instruction |
|CVE-2022-1789 |AC:L/ |results in a call to kvm_mmu_invpcid_gva. If INVPCID |
| |PR:N/ |is executed with CR0.PG=0, the invlpg callback is not|
| |UI:N/S:U|set and the result is a NULL pointer dereference. |
| |/C:H/I:H| |
| |/A:H ) | |
+--------------+--------+-----------------------------------------------------+
| |7.0 ( |In ip_check_mc_rcu of igmp.c, there is a possible use|
| |CVSS:3.1|after free due to improper locking. This could lead |
| |/AV:L/ |to local escalation of privilege when opening and |
|CVE-2022-20141|AC:H/ |closing inet sockets with no additional execution |
| |PR:L/ |privileges needed. User interaction is not needed for|
| |UI:N/S:U|exploitation.Product: AndroidVersions: Android |
| |/C:H/I:H|kernelAndroid ID: A-112551163References: Upstream |
| |/A:H ) |kernel |
+--------------+--------+-----------------------------------------------------+
| |8.8 ( |A regression exists in the Linux Kernel within KVM: |
| |CVSS:3.1|nVMX that allowed for speculative execution attacks. |
| |/AV:L/ |L2 can carry out Spectre v2 attacks on L1 due to L1 |
| |AC:L/ |thinking it doesn't need retpolines or IBPB after |
|CVE-2022-2196 |PR:L/ |running L2 due to KVM (L0) advertising eIBRS support |
| |UI:N/S:C|to L1. An attacker at L2 with code execution can |
| |/C:H/I:H|execute code on an indirect branch on the host |
| |/A:H ) |machine. We recommend upgrading to Kernel 6.2 or past|
| | |commit 2e7eab81425a |
+--------------+--------+-----------------------------------------------------+
| |7.8 ( | |
| |CVSS:3.1|In the Linux kernel through 5.16.10, certain binary |
| |/AV:L/ |files may have the exec-all attribute if they were |
|CVE-2022-25265|AC:L/ |built in approximately 2003 (e.g., with GCC 3.2.2 and|
| |PR:L/ |Linux kernel 2.4.20). This can cause execution of |
| |UI:N/S:U|bytes located in supposedly non-executable regions of|
| |/C:H/I:H|a file. |
| |/A:H ) | |
+--------------+--------+-----------------------------------------------------+
| |5.3 ( | |
| |CVSS:3.1|An issue was found in the Linux kernel in |
| |/AV:N/ |nf_conntrack_irc where the message handling can be |
|CVE-2022-2663 |AC:L/ |confused and incorrectly matches the message. A |
| |PR:N/ |firewall may be able to be bypassed when users are |
| |UI:N/S:U|using unencrypted IRC with nf_conntrack_irc |
| |/C:N/I:L|configured. |
| |/A:N ) | |
+--------------+--------+-----------------------------------------------------+
| |7.0 ( |A race condition was found in the Linux kernel's IP |
| |CVSS:3.1|framework for transforming packets (XFRM subsystem) |
| |/AV:L/ |when multiple calls to xfrm_probe_algs occurred |
|CVE-2022-3028 |AC:H/ |simultaneously. This flaw could allow a local |
| |PR:L/ |attacker to potentially trigger an out-of-bounds |
| |UI:N/S:U|write or leak kernel heap memory by performing an |
| |/C:H/I:H|out-of-bounds read and copying it into a socket. |
| |/A:H ) | |
+--------------+--------+-----------------------------------------------------+
| |7.8 ( | |
| |CVSS:3.1| |
| |/AV:L/ |The Linux kernel before 5.17.2 mishandles seccomp |
|CVE-2022-30594|AC:L/ |permissions. The PTRACE_SEIZE code path allows |
| |PR:L/ |attackers to bypass intended restrictions on setting |
| |UI:N/S:U|the PT_SUSPEND_SECCOMP flag. |
| |/C:H/I:H| |
| |/A:H ) | |
+--------------+--------+-----------------------------------------------------+
| |7.8 ( | |
| |CVSS:3.1|A flaw use after free in the Linux kernel video4linux|
| |/AV:L/ |driver was found in the way user triggers |
|CVE-2022-3239 |AC:L/ |em28xx_usb_probe() for the Empia 28xx based TV cards.|
| |PR:L/ |A local user could use this flaw to crash the system |
| |UI:N/S:U|or potentially escalate their privileges on the |
| |/C:H/I:H|system. |
| |/A:H ) | |
+--------------+--------+-----------------------------------------------------+
| |5.5 ( |A vulnerability was found in Linux Kernel. It has |
| |CVSS:3.1|been declared as problematic. Affected by this |
| |/AV:L/ |vulnerability is the function ipv6_renew_options of |
|CVE-2022-3524 |AC:L/ |the component IPv6 Handler. The manipulation leads to|
| |PR:L/ |memory leak. The attack can be launched remotely. It |
| |UI:N/S:U|is recommended to apply a patch to fix this issue. |
| |/C:N/I:N|The identifier VDB-211021 was assigned to this |
| |/A:H ) |vulnerability. |
+--------------+--------+-----------------------------------------------------+
| |7.1 ( |A vulnerability classified as critical was found in |
| |CVSS:3.1|Linux Kernel. Affected by this vulnerability is the |
| |/AV:A/ |function l2cap_reassemble_sdu of the file net/ |
|CVE-2022-3564 |AC:H/ |bluetooth/l2cap_core.c of the component Bluetooth. |
| |PR:L/ |The manipulation leads to use after free. It is |
| |UI:N/S:U|recommended to apply a patch to fix this issue. The |
| |/C:H/I:H|associated identifier of this vulnerability is |
| |/A:H ) |VDB-211087. |
+--------------+--------+-----------------------------------------------------+
| |7.1 ( |A vulnerability, which was classified as problematic,|
| |CVSS:3.1|was found in Linux Kernel. This affects the function |
| |/AV:A/ |tcp_getsockopt/tcp_setsockopt of the component TCP |
|CVE-2022-3566 |AC:H/ |Handler. The manipulation leads to race condition. It|
| |PR:L/ |is recommended to apply a patch to fix this issue. |
| |UI:N/S:U|The identifier VDB-211089 was assigned to this |
| |/C:H/I:H|vulnerability. |
| |/A:H ) | |
+--------------+--------+-----------------------------------------------------+
| |6.4 ( |A vulnerability has been found in Linux Kernel and |
| |CVSS:3.1|classified as problematic. This vulnerability affects|
| |/AV:A/ |the function inet6_stream_ops/inet6_dgram_ops of the |
|CVE-2022-3567 |AC:H/ |component IPv6 Handler. The manipulation leads to |
| |PR:N/ |race condition. It is recommended to apply a patch to|
| |UI:N/S:U|fix this issue. VDB-211090 is the identifier assigned|
| |/C:L/I:L|to this vulnerability. |
| |/A:H ) | |
+--------------+--------+-----------------------------------------------------+
| |4.3 ( |A vulnerability has been found in Linux Kernel and |
| |CVSS:3.1|classified as problematic. This vulnerability affects|
| |/AV:A/ |the function l2cap_recv_acldata of the file net/ |
|CVE-2022-3619 |AC:L/ |bluetooth/l2cap_core.c of the component Bluetooth. |
| |PR:N/ |The manipulation leads to memory leak. It is |
| |UI:N/S:U|recommended to apply a patch to fix this issue. |
| |/C:N/I:N|VDB-211918 is the identifier assigned to this |
| |/A:L ) |vulnerability. |
+--------------+--------+-----------------------------------------------------+
| |7.5 ( |A vulnerability was found in Linux Kernel. It has |
| |CVSS:3.1|been declared as problematic. Affected by this |
| |/AV:N/ |vulnerability is the function follow_page_pte of the |
|CVE-2022-3623 |AC:H/ |file mm/gup.c of the component BPF. The manipulation |
| |PR:L/ |leads to race condition. The attack can be launched |
| |UI:N/S:U|remotely. It is recommended to apply a patch to fix |
| |/C:H/I:H|this issue. The identifier VDB-211921 was assigned to|
| |/A:H ) |this vulnerability. |
+--------------+--------+-----------------------------------------------------+
| |7.8 ( |A vulnerability was found in Linux Kernel. It has |
| |CVSS:3.1|been classified as critical. This affects the |
| |/AV:L/ |function devlink_param_set/devlink_param_get of the |
|CVE-2022-3625 |AC:L/ |file net/core/devlink.c of the component IPsec. The |
| |PR:L/ |manipulation leads to use after free. It is |
| |UI:N/S:U|recommended to apply a patch to fix this issue. The |
| |/C:H/I:H|identifier VDB-211929 was assigned to this |
| |/A:H ) |vulnerability. |
+--------------+--------+-----------------------------------------------------+
| |6.6 ( | |
| |CVSS:3.1|A buffer overflow flaw was found in the Linux kernel |
| |/AV:P/ |Broadcom Full MAC Wi-Fi driver. This issue occurs |
|CVE-2022-3628 |AC:L/ |when a user connects to a malicious USB device. This |
| |PR:L/ |can allow a local user to crash the system or |
| |UI:N/S:U|escalate their privileges. |
| |/C:H/I:H| |
| |/A:H ) | |
+--------------+--------+-----------------------------------------------------+
| |5.5 ( | |
| |CVSS:3.1|A double-free memory flaw was found in the Linux |
| |/AV:L/ |kernel. The Intel GVT-g graphics driver triggers VGA |
|CVE-2022-3707 |AC:L/ |card system resource overload, causing a fail in the |
| |PR:L/ |intel_gvt_dma_map_guest_page function. This issue |
| |UI:N/S:U|could allow a local user to crash the system. |
| |/C:N/I:N| |
| |/A:H ) | |
+--------------+--------+-----------------------------------------------------+
| |4.7 ( | |
| |CVSS:3.1|An issue was discovered in include/asm-generic/tlb.h |
| |/AV:L/ |in the Linux kernel before 5.19. Because of a race |
|CVE-2022-39188|AC:H/ |condition (unmap_mapping_range versus munmap), a |
| |PR:L/ |device driver can free a page while it still has |
| |UI:N/S:U|stale TLB entries. This only occurs in situations |
| |/C:N/I:N|with VM_PFNMAP VMAs. |
| |/A:H ) | |
+--------------+--------+-----------------------------------------------------+
| |7.8 ( | |
| |CVSS:3.1|An issue was discovered the x86 KVM subsystem in the |
| |/AV:L/ |Linux kernel before 5.18.17. Unprivileged guest users|
|CVE-2022-39189|AC:L/ |can compromise the guest kernel because TLB flush |
| |PR:L/ |operations are mishandled in certain |
| |UI:N/S:U|KVM_VCPU_PREEMPTED situations. |
| |/C:H/I:H| |
| |/A:H ) | |
+--------------+--------+-----------------------------------------------------+
| |5.5 ( | |
| |CVSS:3.1| |
| |/AV:L/ |In drivers/media/dvb-core/dmxdev.c in the Linux |
|CVE-2022-41218|AC:L/ |kernel through 5.19.10, there is a use-after-free |
| |PR:L/ |caused by refcount races, affecting dvb_demux_open |
| |UI:N/S:U|and dvb_dmxdev_release. |
| |/C:N/I:N| |
| |/A:H ) | |
+--------------+--------+-----------------------------------------------------+
| |5.5 ( | |
| |CVSS:3.1|A flaw was found in the Linux kernel's Layer 2 |
| |/AV:L/ |Tunneling Protocol (L2TP). A missing lock when |
|CVE-2022-4129 |AC:L/ |clearing sk_user_data can lead to a race condition |
| |PR:L/ |and NULL pointer dereference. A local user could use |
| |UI:N/S:U|this flaw to potentially crash the system causing a |
| |/C:N/I:N|denial of service. |
| |/A:H ) | |
+--------------+--------+-----------------------------------------------------+
| |8.1 ( | |
| |CVSS:3.1|An issue was discovered in the Linux kernel before |
| |/AV:A/ |5.19.16. Attackers able to inject WLAN frames could |
|CVE-2022-41674|AC:L/ |cause a buffer overflow in the |
| |PR:N/ |ieee80211_bss_info_update function in net/mac80211/ |
| |UI:N/S:U|scan.c. |
| |/C:H/I:N| |
| |/A:H ) | |
+--------------+--------+-----------------------------------------------------+
| |5.5 ( | |
| |CVSS:3.1| |
| |/AV:L/ | |
|CVE-2022-42703|AC:L/ |mm/rmap.c in the Linux kernel before 5.19.7 has a |
| |PR:L/ |use-after-free related to leaf anon_vma double reuse.|
| |UI:N/S:U| |
| |/C:N/I:N| |
| |/A:H ) | |
+--------------+--------+-----------------------------------------------------+
| |7.8 ( | |
| |CVSS:3.1|Various refcounting bugs in the multi-BSS handling in|
| |/AV:L/ |the mac80211 stack in the Linux kernel 5.1 through |
|CVE-2022-42720|AC:L/ |5.19.x before 5.19.16 could be used by local |
| |PR:L/ |attackers (able to inject WLAN frames) to trigger |
| |UI:N/S:U|use-after-free conditions to potentially execute |
| |/C:H/I:H|code. |
| |/A:H ) | |
+--------------+--------+-----------------------------------------------------+
| |5.5 ( | |
| |CVSS:3.1|A list management bug in BSS handling in the mac80211|
| |/AV:L/ |stack in the Linux kernel 5.1 through 5.19.x before |
|CVE-2022-42721|AC:L/ |5.19.16 could be used by local attackers (able to |
| |PR:L/ |inject WLAN frames) to corrupt a linked list and, in |
| |UI:N/S:U|turn, potentially execute code. |
| |/C:N/I:N| |
| |/A:H ) | |
+--------------+--------+-----------------------------------------------------+
| |5.5 ( | |
| |CVSS:3.1|In the Linux kernel 5.8 through 5.19.x before |
| |/AV:L/ |5.19.16, local attackers able to inject WLAN frames |
|CVE-2022-42722|AC:L/ |into the mac80211 stack could cause a NULL pointer |
| |PR:L/ |dereference denial-of-service attack against the |
| |UI:N/S:U|beacon protection of P2P devices. |
| |/C:N/I:N| |
| |/A:H ) | |
+--------------+--------+-----------------------------------------------------+
| |6.7 ( | |
| |CVSS:3.1| |
| |/AV:L/ |drivers/usb/mon/mon_bin.c in usbmon in the Linux |
|CVE-2022-43750|AC:L/ |kernel before 5.19.15 and 6.x before 6.0.1 allows a |
| |PR:H/ |user-space client to corrupt the monitor's internal |
| |UI:N/S:U|memory. |
| |/C:H/I:H| |
| |/A:H ) | |
+--------------+--------+-----------------------------------------------------+
| |5.5 ( |In the Linux kernel before 6.1.6, a NULL pointer |
| |CVSS:3.1|dereference bug in the traffic control subsystem |
| |/AV:L/ |allows an unprivileged user to trigger a denial of |
|CVE-2022-47929|AC:L/ |service (system crash) via a crafted traffic control |
| |PR:L/ |configuration that is set up with "tc qdisc" and "tc |
| |UI:N/S:U|class" commands. This affects qdisc_graft in net/ |
| |/C:N/I:N|sched/sch_api.c. |
| |/A:H ) | |
+--------------+--------+-----------------------------------------------------+
| |5.5 ( | |
| |CVSS:3.1| |
| |/AV:L/ |A NULL pointer dereference flaw was found in |
|CVE-2023-0394 |AC:L/ |rawv6_push_pending_frames in net/ipv6/raw.c in the |
| |PR:L/ |network subcomponent in the Linux kernel. This flaw |
| |UI:N/S:U|causes the system to crash. |
| |/C:N/I:N| |
| |/A:H ) | |
+--------------+--------+-----------------------------------------------------+
| | |There is a use-after-free vulnerability in the Linux |
| | |Kernel which can be exploited to achieve local |
| | |privilege escalation. To reach the vulnerability |
| | |kernel configuration flag CONFIG_TLS or |
| |7.8 ( |CONFIG_XFRM_ESPINTCP has to be configured, but the |
| |CVSS:3.1|operation does not require any privilege. There is a |
| |/AV:L/ |use-after-free bug of icsk_ulp_data of a struct |
|CVE-2023-0461 |AC:L/ |inet_connection_sock. When CONFIG_TLS is enabled, |
| |PR:L/ |user can install a tls context (struct tls_context) |
| |UI:N/S:U|on a connected tcp socket. The context is not cleared|
| |/C:H/I:H|if this socket is disconnected and reused as a |
| |/A:H ) |listener. If a new socket is created from the |
| | |listener, the context is inherited and vulnerable. |
| | |The setsockopt TCP_ULP operation does not require any|
| | |privilege. We recommend upgrading past commit |
| | |2c02d41d71f90a5168391b6a5f2954112ba2307c |
+--------------+--------+-----------------------------------------------------+
| |5.5 ( | |
| |CVSS:3.1|A use-after-free flaw was found in |
| |/AV:L/ |reconn_set_ipaddr_from_hostname in fs/cifs/connect.c |
|CVE-2023-1195 |AC:L/ |in the Linux kernel. The issue occurs when it forgets|
| |PR:L/ |to set the free pointer server->hostname to NULL, |
| |UI:N/S:U|leading to an invalid pointer request. |
| |/C:N/I:N| |
| |/A:H ) | |
+--------------+--------+-----------------------------------------------------+
| |4.7 ( | |
| |CVSS:3.1| |
| |/AV:L/ |A race problem was found in fs/proc/task_mmu.c in the|
|CVE-2023-1582 |AC:H/ |memory management sub-component in the Linux kernel. |
| |PR:L/ |This issue may allow a local attacker with user |
| |UI:N/S:U|privilege to cause a denial of service. |
| |/C:N/I:N| |
| |/A:H ) | |
+--------------+--------+-----------------------------------------------------+
| |5.5 ( | |
| |CVSS:3.1|cbq_classify in net/sched/sch_cbq.c in the Linux |
| |/AV:L/ |kernel through 6.1.4 allows attackers to cause a |
|CVE-2023-23454|AC:L/ |denial of service (slab-out-of-bounds read) because |
| |PR:L/ |of type confusion (non-negative numbers can sometimes|
| |UI:N/S:U|indicate a TC_ACT_SHOT condition rather than valid |
| |/C:N/I:N|classification results). |
| |/A:H ) | |
+--------------+--------+-----------------------------------------------------+
| |5.5 ( |A flaw was found in the Linux kernel Traffic Control |
| |CVSS:3.1|(TC) subsystem. Using a specific networking |
| |/AV:L/ |configuration (redirecting egress packets to ingress |
|CVE-2022-4269 |AC:L/ |using TC action "mirred") a local unprivileged user |
| |PR:L/ |could trigger a CPU soft lockup (ABBA deadlock) when |
| |UI:N/S:U|the transport protocol in use (TCP or SCTP) does a |
| |/C:N/I:N|retransmission, resulting in a denial of service |
| |/A:H ) |condition. |
+--------------+--------+-----------------------------------------------------+
| |7.8 ( | |
| |CVSS:3.1|A stack overflow flaw was found in the Linux kernel's|
| |/AV:L/ |SYSCTL subsystem in how a user changes certain kernel|
|CVE-2022-4378 |AC:L/ |parameters and variables. This flaw allows a local |
| |PR:L/ |user to crash or potentially escalate their |
| |UI:N/S:U|privileges on the system. |
| |/C:H/I:H| |
| |/A:H ) | |
+--------------+--------+-----------------------------------------------------+
| |7.8 ( |A use after free vulnerability exists in the ALSA PCM|
| |CVSS:3.1|package in the Linux Kernel. SNDRV_CTL_IOCTL_ELEM_ |
| |/AV:L/ |{READ|WRITE}32 is missing locks that can be used in a|
|CVE-2023-0266 |AC:L/ |use-after-free that can result in a priviledge |
| |PR:L/ |escalation to gain ring0 access from the system user.|
| |UI:N/S:U|We recommend upgrading past commit |
| |/C:H/I:H|56b88b50565cd8b946a2d00b0c83927b7ebb055e |
| |/A:H ) | |
+--------------+--------+-----------------------------------------------------+
| |7.8 ( |A flaw was found in the Linux kernel, where |
| |CVSS:3.1|unauthorized access to the execution of the setuid |
| |/AV:L/ |file with capabilities was found in the Linux |
|CVE-2023-0386 |AC:L/ |kernel's OverlayFS subsystem in how a user copies a |
| |PR:L/ |capable file from a nosuid mount into another mount. |
| |UI:N/S:U|This uid mapping bug allows a local user to escalate |
| |/C:H/I:H|their privileges on the system. |
| |/A:H ) | |
+--------------+--------+-----------------------------------------------------+
| |7.5 ( |A privilege escalation vulnerability exists in |
| |CVSS:3.1|Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that|
| |/AV:N/ |made it possible to bypass the experimental |
|CVE-2023-23918|AC:L/ |Permissions (https://nodejs.org/api/permissions.html)|
| |PR:N/ |feature in Node.js and access non authorized modules |
| |UI:N/S:U|by using process.mainModule.require(). This only |
| |/C:H/I:N|affects users who had enabled the experimental |
| |/A:N ) |permissions option with --experimental-policy. |
+--------------+--------+-----------------------------------------------------+
| |4.2 ( | |
| |CVSS:3.1|An untrusted search path vulnerability exists in |
| |/AV:L/ |Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 |
|CVE-2023-23920|AC:L/ |that could allow an attacker to search and |
| |PR:H/ |potentially load ICU data when running with elevated |
| |UI:R/S:U|privileges. |
| |/C:N/I:H| |
| |/A:N ) | |
+--------------+--------+-----------------------------------------------------+
| |8.8 ( | |
| |CVSS:3.1|An attacker could construct a PKCS 12 cert bundle in |
| |/AV:N/ |such a way that could allow for arbitrary memory |
|CVE-2023-0767 |AC:L/ |writes via PKCS 12 Safe Bag attributes being |
| |PR:N/ |mishandled. This vulnerability affects Firefox < 110,|
| |UI:R/S:U|Thunderbird < 102.8, and Firefox ESR < 102.8. |
| |/C:H/I:H| |
| |/A:H ) | |
+--------------+--------+-----------------------------------------------------+
| | |There is a type confusion vulnerability relating to |
| | |X.400 address processing inside an X.509 GeneralName.|
| | |X.400 addresses were parsed as an ASN1_STRING but the|
| | |public structure definition for GENERAL_NAME |
| | |incorrectly specified the type of the x400Address |
| | |field as ASN1_TYPE. This field is subsequently |
| | |interpreted by the OpenSSL function GENERAL_NAME_cmp |
| |7.4 ( |as an ASN1_TYPE rather than an ASN1_STRING. When CRL |
| |CVSS:3.1|checking is enabled (i.e. the application sets the |
| |/AV:N/ |X509_V_FLAG_CRL_CHECK flag), this vulnerability may |
|CVE-2023-0286 |AC:H/ |allow an attacker to pass arbitrary pointers to a |
| |PR:N/ |memcmp call, enabling them to read memory contents or|
| |UI:N/S:U|enact a denial of service. In most cases, the attack |
| |/C:H/I:N|requires the attacker to provide both the certificate|
| |/A:H ) |chain and CRL, neither of which need to have a valid |
| | |signature. If the attacker only controls one of these|
| | |inputs, the other input must already contain an X.400|
| | |address as a CRL distribution point, which is |
| | |uncommon. As such, this vulnerability is most likely |
| | |to only affect applications which have implemented |
| | |their own functionality for retrieving CRLs over a |
| | |network. |
+--------------+--------+-----------------------------------------------------+
| |5.5 ( | |
| |CVSS:3.1|An out-of-bounds memory access flaw was found in the |
| |/AV:L/ |Linux kernel Intel's iSMT SMBus host controller |
|CVE-2022-2873 |AC:L/ |driver in the way a user triggers the |
| |PR:L/ |I2C_SMBUS_BLOCK_DATA (with the ioctl I2C_SMBUS) with |
| |UI:N/S:U|malicious input data. This flaw allows a local user |
| |/C:N/I:N|to crash the system. |
| |/A:H ) | |
+--------------+--------+-----------------------------------------------------+
| |7.0 ( | |
| |CVSS:3.1| |
| |/AV:L/ |mm/mremap.c in the Linux kernel before 5.13.3 has a |
|CVE-2022-41222|AC:H/ |use-after-free via a stale TLB because an rmap lock |
| |PR:L/ |is not held during a PUD move. |
| |UI:N/S:U| |
| |/C:H/I:H| |
| |/A:H ) | |
+--------------+--------+-----------------------------------------------------+
| | |The Linux kernel NFSD implementation prior to |
| | |versions 5.19.17 and 6.0.2 are vulnerable to buffer |
| | |overflow. NFSD tracks the number of pages held by |
| |7.5 ( |each NFSD thread by combining the receive and send |
| |CVSS:3.1|buffers of a remote procedure call (RPC) into a |
| |/AV:N/ |single array of pages. A client can force the send |
|CVE-2022-43945|AC:L/ |buffer to shrink by sending an RPC message over TCP |
| |PR:N/ |with garbage data added at the end of the message. |
| |UI:N/S:U|The RPC message with garbage data is still correctly |
| |/C:N/I:N|formed according to the specification and is passed |
| |/A:H ) |forward to handlers. Vulnerable code in NFSD is not |
| | |expecting the oversized request and writes beyond the|
| | |allocated buffer space. CVSS:3.1/AV:N/AC:L/PR:L/UI:N/|
| | |S:U/C:N/I:N/A:H |
+--------------+--------+-----------------------------------------------------+
| |9.8 ( |zlib through 1.2.12 has a heap-based buffer over-read|
| |CVSS:3.1|or buffer overflow in inflate in inflate.c via a |
| |/AV:N/ |large gzip header extra field. NOTE: only |
|CVE-2022-37434|AC:L/ |applications that call inflateGetHeader are affected.|
| |PR:N/ |Some common applications bundle the affected zlib |
| |UI:N/S:U|source code but may be unable to call |
| |/C:H/I:H|inflateGetHeader (e.g., see the nodejs/node |
| |/A:H ) |reference). |
+--------------+--------+-----------------------------------------------------+
| |8.1 ( | |
| |CVSS:3.1| |
| |/AV:N/ | |
|CVE-2022-38023|AC:H/ |Netlogon RPC Elevation of Privilege Vulnerability |
| |PR:N/ | |
| |UI:N/S:U| |
| |/C:H/I:H| |
| |/A:H ) | |
+--------------+--------+-----------------------------------------------------+
| | |BIND 9.11.0 -> 9.11.36 9.12.0 -> 9.16.26 9.17.0 -> |
| |6.8 ( |9.18.0 BIND Supported Preview Editions: 9.11.4-S1 -> |
| |CVSS:3.1|9.11.36-S1 9.16.8-S1 -> 9.16.26-S1 Versions of BIND 9|
| |/AV:N/ |earlier than those shown - back to 9.1.0, including |
|CVE-2021-25220|AC:L/ |Supported Preview Editions - are also believed to be |
| |PR:H/ |affected but have not been tested as they are EOL. |
| |UI:N/S:C|The cache could become poisoned with incorrect |
| |/C:N/I:H|records leading to queries being made to the wrong |
| |/A:N ) |servers, which might also result in false information|
| | |being returned to clients. |
+--------------+--------+-----------------------------------------------------+
| |5.3 ( | |
| |CVSS:3.1|By flooding the target resolver with queries |
| |/AV:N/ |exploiting this flaw an attacker can significantly |
|CVE-2022-2795 |AC:L/ |impair the resolver's performance, effectively |
| |PR:N/ |denying legitimate clients access to the DNS |
| |UI:N/S:U|resolution service. |
| |/C:N/I:N| |
| |/A:L ) | |
+--------------+--------+-----------------------------------------------------+
| |8.8 ( | |
| |CVSS:3.1| |
| |/AV:N/ | |
|CVE-2022-4254 |AC:L/ |sssd: libsss_certmap fails to sanitise certificate |
| |PR:L/ |data used in LDAP filters |
| |UI:N/S:U| |
| |/C:H/I:H| |
| |/A:H ) | |
+--------------+--------+-----------------------------------------------------+
| | |Vulnerability in the Oracle Java SE, Oracle GraalVM |
| | |Enterprise Edition product of Oracle Java SE |
| | |(component: Serialization). Supported versions that |
| | |are affected are Oracle Java SE: 8u351, 8u351-perf; |
| | |Oracle GraalVM Enterprise Edition: 20.3.8 and 21.3.4.|
| | |Easily exploitable vulnerability allows |
| | |unauthenticated attacker with network access via |
| |5.3 ( |multiple protocols to compromise Oracle Java SE, |
| |CVSS:3.1|Oracle GraalVM Enterprise Edition. Successful attacks|
| |/AV:N/ |of this vulnerability can result in unauthorized |
| |AC:L/ |update, insert or delete access to some of Oracle |
|CVE-2023-21830|PR:N/ |Java SE, Oracle GraalVM Enterprise Edition accessible|
| |UI:N/S:U|data. Note: This vulnerability applies to Java |
| |/C:N/I:L|deployments, typically in clients running sandboxed |
| |/A:N ) |Java Web Start applications or sandboxed Java |
| | |applets, that load and run untrusted code (e.g., code|
| | |that comes from the internet) and rely on the Java |
| | |sandbox for security. This vulnerability does not |
| | |apply to Java deployments, typically in servers, that|
| | |load and run only trusted code (e.g., code installed |
| | |by an administrator). CVSS 3.1 Base Score 5.3 |
| | |(Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L|
| | |/PR:N/UI:N/S:U/C:N/I:L/A:N). |
+--------------+--------+-----------------------------------------------------+
| | |Vulnerability in the Oracle Java SE, Oracle GraalVM |
| | |Enterprise Edition product of Oracle Java SE |
| | |(component: Sound). Supported versions that are |
| | |affected are Oracle Java SE: 8u351, 8u351-perf, |
| | |11.0.17, 17.0.5, 19.0.1; Oracle GraalVM Enterprise |
| | |Edition: 20.3.8, 21.3.4 and 22.3.0. Difficult to |
| | |exploit vulnerability allows unauthenticated attacker|
| | |with network access via multiple protocols to |
| |3.7 ( |compromise Oracle Java SE, Oracle GraalVM Enterprise |
| |CVSS:3.1|Edition. Successful attacks of this vulnerability can|
| |/AV:N/ |result in unauthorized update, insert or delete |
|CVE-2023-21843|AC:H/ |access to some of Oracle Java SE, Oracle GraalVM |
| |PR:N/ |Enterprise Edition accessible data. Note: This |
| |UI:N/S:U|vulnerability applies to Java deployments, typically |
| |/C:N/I:L|in clients running sandboxed Java Web Start |
| |/A:N ) |applications or sandboxed Java applets, that load and|
| | |run untrusted code (e.g., code that comes from the |
| | |internet) and rely on the Java sandbox for security. |
| | |This vulnerability does not apply to Java |
| | |deployments, typically in servers, that load and run |
| | |only trusted code (e.g., code installed by an |
| | |administrator). CVSS 3.1 Base Score 3.7 (Integrity |
| | |impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/|
| | |S:U/C:N/I:L/A:N). |
+--------------+--------+-----------------------------------------------------+
| | |In Sudo before 1.9.12p2, the sudoedit (aka -e) |
| |7.8 ( |feature mishandles extra arguments passed in the |
| |CVSS:3.1|user-provided environment variables (SUDO_EDITOR, |
| |/AV:L/ |VISUAL, and EDITOR), allowing a local attacker to |
| |AC:L/ |append arbitrary entries to the list of files to |
|CVE-2023-22809|PR:L/ |process. This can lead to privilege escalation. |
| |UI:N/S:U|Affected versions are 1.8.0 through 1.9.12.p1. The |
| |/C:H/I:H|problem exists because a user-specified editor may |
| |/A:H ) |contain a "--" argument that defeats a protection |
| | |mechanism, e.g., an EDITOR='vim -- /path/to/extra/ |
| | |file' value. |
+--------------+--------+-----------------------------------------------------+
| |7.8 ( | |
| |CVSS:3.1|A flaw was found in the Linux kernel's driver for the|
| |/AV:L/ |ASIX AX88179_178A-based USB 2.0/3.0 Gigabit Ethernet |
|CVE-2022-2964 |AC:L/ |Devices. The vulnerability contains multiple |
| |PR:L/ |out-of-bounds reads and possible out-of-bounds |
| |UI:N/S:U|writes. |
| |/C:H/I:H| |
| |/A:H ) | |
+--------------+--------+-----------------------------------------------------+
| |7.8 ( | |
| |CVSS:3.1|An incorrect TLB flush issue was found in the Linux |
| |/AV:L/ |kernel's GPU i915 kernel driver, potentially leading |
|CVE-2022-4139 |AC:L/ |to random memory corruption or data leaks. This flaw |
| |PR:L/ |could allow a local user to crash the system or |
| |UI:N/S:U|escalate their privileges on the system. |
| |/C:H/I:H| |
| |/A:H ) | |
+--------------+--------+-----------------------------------------------------+
Solution:
The following software releases have been updated to resolve these specific
issues: SSR-6.2.3-r2, and all subsequent releases.
These issues are being tracked as Jira tickets I95-54048, I95-54027, I95-54026,
I95-53838, I95-53817, I95-53622, I95-53477, I95-53476, I95-52956, I95-52645,
I95-52644, I95-52625, I95-52554, I95-52509, I95-52497, I95-52496, I95-52495,
I95-51758, I95-51431, I95-50812, I95-50790, I95-50508, I95-50506, I95-50360,
I95-50359, I95-50358, I95-49747, I95-49746, I95-49745, I95-49456 and I95-49445.
Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of
Engineering (EOE) or End of Life (EOL).
Workaround:
There are no known workarounds for these issues.
Modification History:
2024-01-10: Initial Publication.
Related Information:
o KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin
Publication Process
o KB16765: In which releases are vulnerabilities fixed?
o KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories
o Report a Security Vulnerability - How to Contact the Juniper Networks
Security Incident Response Team
Last Updated: 2024-01-10
Created: 2024-01-10
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBZZ9Q6skNZI30y1K9AQgwUg/+JvledmGX0E9ju3iVzrOi7xcoa1Fg1gkV
WyJK/HdptGm2f///FxpWMXU3Bqk0yJJa9LorWSdylcwPu2ACI3ZfVLviCTpG75vI
UVxfIw7A8DJJ70xq0mdZOkEEZCBzvCBOr+XcZ6TqW4tQ6/AfocbBKBZ9AEUj2Znu
ZEAy0Zhg9M9iXmmBmoUCsASaP+FebWZaYCqcu8Fzf7++pZzTL8Hr8MicZvSAcTo8
s7m1CG77wCfqx+XYtH5R7E3Lv5rXvFnp4QxbXG5KPuAb5DAx83qIWZsNZ0OQ7eG7
bs7ycrU79409tsO8XL6ggE85GAJK9ct9b3TFFASnWZ5PKGHIrUQmfNbqTvwtZo6b
y4K45xhwjj165YMonv/au2i1PENSB6ttfeK0D8wGPA7JQhdnFlZjfioZaXjJ40ox
0XGhsLMlwV4VdFlvFiev6aUNz9RKR2R8Ft5EvHqi6fVioScuEDTveEF2sJ1nnKjP
VMc0P+MXstOBqtMD7uPtyrdNl6cbVxw3T0Grr0zIygMG0ShMTOM4lAh6dBrP+Fu3
idDMXQ/koo1wEzCGM7Myat2HUhPtDk1SI25A8eATI/Zi6reloSjhGIT4xYz1xPxC
ggmbpZyrQo2x/g1dzuXzQXZwKUGWciNshqtWzyN2Pp+FwwOp+Ji8uEoJydc/3d9k
g4jrIEuvb1c=
=recy
-----END PGP SIGNATURE-----